On Wed, May 6, 2009 at 15:13, Ingo Molnar <mingo@xxxxxxx> wrote: > doing a (per arch) bitmap of harmless syscalls and replacing the > mode1_syscalls[] check with that in kernel/seccomp.c would be a > pretty reasonable extension. (.config controllable perhaps, for > old-style-seccomp) > > It would probably be faster than the current loop over > mode1_syscalls[] as well. This would be a great option to improve performance of our sandbox. I can detect the availability of the new kernel API dynamically, and then not intercept the bulk of the system calls. This would allow the sandbox to work both with existing and with newer kernels. We'll post a kernel patch for discussion in the next few days, Markus -- To unsubscribe from this list: send the line "unsubscribe sparclinux" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
